Scott Kitterman dijo [Tue, Aug 25, 2015 at 11:57:11AM -0400]: > > No, we don't require to rebuild everything from source. It should just > > be possible to do it with what is in main. The last occurrence that I > > can find of this discussion is here: > > https://lists.debian.org/debian-devel/2014/11/msg00929.html > > The question posed there was, I think, already pretty clearly answered: > > https://lists.debian.org/debian-devel-announce/2014/04/msg00014.html > > AFAIK we've only ever discussed the need to provide source. I don't know why > there would be a requirement to reminify.
The main reason IMO is that, unless we can ensure the minified code is identical to what we are able to produce, we cannot be sure of its contents. If upstream changes the version of the JS library-to-be-minified then our provided source will no longer match. Even worse, if upstream (or an attacker to upstream) were to modify specific bits of the minified thingy (quite probably, the pre-minified thingy they'd minify and ship), they will put our users in compromised situations. So, we can ensure a bit-identical minification (that is, checking the hash for each minified JS or whatever other language we ship), or just minify from a known-good source and distribute our results. Minification is a very fast process IMO, so I don't see why not to do it.
